We still have modules that ship with default system users with hardcoded username and a hardcoded password. In all modules the sysop can configure a different username and a different password, however, it's possible that it's forgotten or that the config has a typo. GDPR requires security by default. A module should fail at startup when username or password configuration is missing. Then the user interface is forgiving and doesn't create an unintended security hole.
Notes:
Do JIRAs exist for the modules which still have default username/passwords?
Not yet.
How many are we talking about here? is it 1? 2? 8+?
We probably want to create JIRAs for these. The MODSER JIRA project is applicable here, and they should be assigned to the K-Int team.
NOTE: I don't think this is part of a flower release yet, and will not be part of Poppy, so not stop the world critical at this point, but will ne nice to have these filed.